Rezilion: Devs Wasting Time on Wrong Cybersecurity Vulnerabilities
Rezilion, a provider of a platform for securing software supply chains, published a report today that argues most organizations waste their limited remediation resources. The report reaches this conclusion based on the fact that most organizations today are only able to address 10% of their vulnerability backlog and only 5% of vulnerabilities are ever exploited; therefore, most organizations are wasting what limited remediation resources they have, the report concluded.
The Rezilion report relied heavily on the Exploitability Probability Prediction Score (EPPS) model to better determine the probability a vulnerability will be exploited and its severity. EPPS is a community-driven effort that combines descriptive information about common vulnerabilities and exposures (CVEs) with evidence of actual exploitation to produce a score. The current EPPS model was trained with 1,164 variables, most of which were boolean values representing the presence of a specific attribute.
In total, Rezilion claimed it has identified more than 30 actively exploited vulnerabilities with a high EPPS score that were not listed in the known exploited vulnerabilities database maintained by the Cybersecurity and Infrastructure Security Agency (CISA).
Yotam Perkal, head of vulnerability research for Rezilion, said the issue that most organizations encounter today when relying solely on the Common Vulnerability Scoring System (CVSS) is that while it identifies the potential severity of a vulnerability, there is no meaningful evaluation of the probability that vulnerability will be exploited.
As a result, cybersecurity teams create a list of vulnerabilities that many application development teams then attempt to patch. However, given the limited resources available, most of that time is likely being wasted on vulnerabilities that are not likely to be exploited, noted Perkal.
The exact 5% of vulnerabilities that might be exploited will naturally differ from one organization to the next. But it’s clear that more time needs to be devoted to prioritizing remediation efforts based on the probability a specific vulnerability is likely to be exploited, said Perkal.
A more holistic approach based on CVSS, KEV and EPPS combined with runtime validation would be a more effective methodology for prioritizing remediation efforts, he added.
This lack of an effective scoring system is, of course, at the heart of the disconnect between cybersecurity professionals and application developers. Cybersecurity teams have been creating long lists of vulnerabilities for developers to patch, but given the lack of any meaningful context, most of those patch requests are ignored. Developers lack the time and resources needed to create most patches; when they investigate where the code in question is running, it often turns out that while that code may have been downloaded from a repository, it never actually made it into a production application that faces the internet.
Before too long, developers start to ignore cybersecurity alerts altogether. From their perspective, most of those alerts are the equivalent of a false positive.
It’s going to take some time for cybersecurity teams to regain credibility with application developers. Generally, developers are more appreciative of application security issues, but many remain skeptical of vulnerability reports created by cybersecurity teams. The best way to bridge that divide is, arguably, to start with some simple math that can’t be ignored.